SecurinZero Days
    Email Us
    VDP/ Vulnerability Disclosure Policy

    Coordinated
    Disclosure
    Framework

    Securin believes that responsible, timely, and coordinated disclosure of security vulnerabilities is foundational to a safer digital ecosystem. This page summarises how we operate as a MITRE-authorised CNA.

    Download Full Policy (v2.0)Contact Disclosure Team →
    Document Info
    Version2.0
    EffectiveMay 2026
    OwnerSecurity Research & Disclosure
    ClassificationPublic
    SupersedesVersion 1.0
    Next ReviewAnnual
    StandardsISO/IEC 29147 · 30111 · CVSS v4.0 · CVE JSON 5.0
    Contactdisclose@securin.io
    On This Page
    • Philosophy
    • Scope
    • Disclosure Process
    • Severity & Timelines
    • Our Commitments
    • Safe Harbor
    • CVE Assignment
    • Contact
    § 01

    Philosophy & Core Values

    Securin endorses Coordinated Vulnerability Disclosure (CVD) — often called "responsible disclosure" — as the optimal method for communicating newly discovered weaknesses in software and hardware to affected vendors, while minimising harm to end users and the broader public.

    This policy aligns with ISO/IEC 29147:2018, ISO/IEC 30111:2019, CISA BOD 20-01, and industry standards established by Google Project Zero, Microsoft MSRC, Cisco PSIRT, and Anthropic.

    Transparency
    We document and publish disclosure decisions, including timelines and vendor cooperation status.
    Proportionality
    Timelines are calibrated to severity, exploitability, and user impact — not applied uniformly.
    Good Faith
    We presume vendors intend to remediate; timelines are structured to enable, not punish.
    User Safety First
    When active exploitation threatens users, their safety supersedes vendor convenience.
    Accountability
    Public disclosure holds all parties — vendors and Securin alike — accountable for their actions.
    § 02

    Scope

    This policy governs outbound disclosures — vulnerabilities discovered by Securin's research team in third-party software, hardware, firmware, or cloud products within Securin's CNA jurisdiction, or where no other CNA has assumed responsibility.

    Remote Code ExecutionPrivilege EscalationAuthentication BypassSQL Injection / XSS / CSRFSupply Chain VulnerabilitiesAI Model Safety IssuesHardcoded CredentialsCryptographic WeaknessesTheoretical / No PoCPhysical Access OnlyAlready CVE-assignedUser Misconfiguration
    § 03

    Disclosure Process

    Every vulnerability we discover goes through a documented, staged process — from internal triage through public disclosure.

    01
    Discovery & Internal Triage
    Reproduce and validate with a working PoC. Assess severity via CVSS v4.0. Identify all affected vendors and downstream software. Reserve a CVE ID (not yet published).
    02
    Vendor Notification
    Contact via security.txt (RFC 9116), dedicated security email, or bug bounty platform. All notifications include a high-level description, affected versions, and CVSS score — without full exploit details.
    03
    Coordination Window
    Vendor acknowledgement expected within 7 business days. Follow-up at 14 days. Escalation to CERT/CC or CISA if no response by 14 business days.
    04
    Patch Validation
    Securin validates vendor-supplied fixes within 10 business days and reports back. Full technical details — including PoC — withheld for 30–45 days post-patch to allow downstream deployment.
    05
    Public Disclosure
    Advisory published to securin.io/securin-zero-days with CVE record submitted to NVD. Includes full technical description, impact, timeline, and researcher credit.
    § 04 — 05

    Severity & Disclosure Timelines

    Securin applies CVSS v4.0 base scores as the primary severity mechanism, supplemented by active exploitation status, public exploit availability, and deployment breadth.

    Severity
    Default Deadline from Vendor Notification
    Critical9.0–10.0
    45 days
    High7.0–8.9
    90 days
    Medium4.0–6.9
    90 days
    Low0.1–3.9
    120 days
    Active Exploitation: When Securin confirms exploitation in the wild, accelerated timelines apply regardless of CVSS score — as low as 7 days (no patch available) or 72 hours when weaponised exploit code appears publicly. This mirrors practices adopted by Google Project Zero, Anthropic, and CISA.

    Maximum Coordination Window: 180 days under any circumstances. Extensions beyond this require documented exceptional circumstances and approval by Securin's Chief Security Officer.
    § 07

    Our Commitments to Vendors

    Securin holds itself to the same standard of good faith it expects from vendors.

    Confidentiality
    Strict confidentiality of all vulnerability details during the coordination window. Internal distribution limited to need-to-know personnel.
    Responsive Communication
    Securin responds to vendor queries within 3 business days. Deadlines are communicated clearly at first notification and never retroactively shortened without documented cause.
    Patch Validation
    Upon receipt of a proposed fix, Securin validates the patch and reports back within 10 business days.
    No Extortion
    Securin will never demand payment, equity, or compensation as a condition of disclosure — ever.
    Accuracy
    Factual errors in advisories — including CVSS scores and affected version ranges — are corrected upon notification.
    No Data Monetisation
    Unpublished vulnerability details are never sold, licensed, or shared with exploit brokers, governments, or intelligence agencies.
    § 10

    Safe Harbor

    Vendors who engage constructively — acknowledging receipt, communicating progress, and releasing timely patches — are acting in good faith. Securin commits to not misrepresenting vulnerability severity, giving vendors opportunity to review advisories for factual accuracy before publication, and crediting timely remediation publicly.

    Safe harbor does not apply to deliberate data destruction, exfiltration or sale of sensitive data, introduction of malware, use of vulnerabilities to attack third parties, or extortion of any kind.

    § 02 + § 11

    Securin as a CNA

    Securin is a CVE Numbering Authority (CNA), authorised by the US Department of Homeland Security and MITRE. All assigned CVEs follow CNA Operational Rules v4.0+ and are published under this policy's timelines.

    CVE Records follow CVE JSON 5.0 schema with machine-readable CSAF 2.0 files for enterprise consumption. All advisories are catalogued at securin.io/securin-zero-days.

    § 16

    Contact

    Use the channels below for disclosure coordination, press enquiries on advisories, or general security questions. For full technical details, Securin supports PGP/GPG-encrypted email upon key exchange.

    Extension requests must be submitted to disclose@securin.io at least 7 business days before the disclosure deadline.

    Disclosure Coordination
    disclose@securin.io
    Security Inquiries
    security@securin.io
    Press / Media
    pr@securin.io
    Zero Days Index
    securin.io/securin-zero-days
    Back to Zero-Day Index
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum